Cybercrime is perhaps the most serious threat to businesses today, yet many executives still underestimate the risks that it poses to their organisations. The C-suite continue to take risks around cybersecurity – but how much risk is too much? Why don't IT and the C-suite's priorities match up? Researchby the Economist Intelligence Unit found that although cybersecurity is the top priority for the vast majority of IT leaders, only five percent of the C-suite share that view. This misalignment between the server room and boardroom benefits only one party: cybercriminals. So how much risk can businesses really afford to take?
The issue is not that risks to cybersecurity are going unrecognised: the study found that 84 percent of IT leaders and 75 percent of business leaders said they experienced increased numbers of cyber-attacks against their organisations last year. Nor are the costs of cybercrime being underplayed: The Australian Crime Commission recently told businesses that the total annual costs of cyber-attacks could easily amount to one percent of GDP – or $17 billion in losses. Rather, this misalignment has come about because of an age-old issue: organisational silos.
IT and business leaders need to engage in clear, intentional dialogue about what constitutes “acceptable risk” from a cybersecurity perspective. Failure to do so not only creates more vulnerabilities when business leaders take on more risk than the organisation can handle, but limits the effectiveness of any response when a breach does occur. When LinkedIn's password databases were breached in 2012, for example, the standard response would've been to publicly acknowledge the issue and force password resets to all accounts. Instead – arguably as a result of executives underestimating the actual impact – the company only revealed the extent of the hack four years afterwards, leaving millions of users at risk and increasing the risk of breaches to other online services.
There are three burning issues which IT and business leaders need to table in order to effectively meet any cyber threat:
Budgets and Funding: PwC revealed that the average large business spent about $10.8m on information security during 2014. Analyst firm Gartner, meanwhile, estimates that the average company allocates about five per cent of annual IT budget to security. As cybersecurity threats continue to increase, more than one in four IT leaders expect a significant security budget increase in the next two years. Only slightly more than 1 in 10 C-suite leaders anticipate the same. In other words, IT is planning to tackle complex cybersecurity threats with resources they're unlikely to actually receive. When these cybersecurity threats turn into real cyber-attacks, these enterprises will find themselves unprepared and defenceless.
The solution is simple: set cybersecurity budgets well in advance. IT leaders should focus on gaining funding for preventive security platforms that permeate the entire enterprise, allowing them to stifle threats regardless of the devices, applications, or infrastructure that end up being attacked. When considering these budget requests, business leaders should interview their IT counterparts about risks that go beyond simple downtime or data loss: potential costs like stolen or lost revenues, reputational damage, and legal action need to be fully quantified and weighed up against the costs of preventive measures.
Most importantly, cybersecurity budget requests should be clearly presented to the business as soon as a potential threat or issue comes to mind – not once that threat becomes reality in an attack.
The shift towards Micro-segmentation: With the proliferation of endpoint access, from almost anything with a screen – laptops, tablets, smartphones, VPN from your home - the data center perimeter isn't so easy to define anymore. In addition, users are given direct data center access and “trusted” to do the right thing when accessing critical business applications. So in this era of the blurred security boundary and data access anywhere, anytime, enterprises need technologies that go beyond simple perimeter defences.
VMware's NSX, for example, acts as a single security “layer” that operates across all virtual workloads, throughout the entire data center, enforcing firewall filtering and third party firewall service insertion at an atomic level – the virtual machine's interface to the network. NSX allows a security administrator to create micro-segments – effectively fencing off applications from each other and thereby reducing the blast radius of malware trying to move laterally through the data center.
Security platforms only work when supported by a shift in mindset that's led by the C-suite. IT and business heads should come together to not only discuss what policies the organisation needs to implement, like data loss prevention and the risk profiles of moving assets into the cloud. They must also implement and enforce penalties for employee noncompliance, just the same as they would for breaching codes of conduct or contractual obligations.
Intelligence-Sharing: Nearly one in five C-suite executives find that their IT teams do not effectively communicate threats and other risks to senior management. In order to address this, the clear and intentional dialogue between both parties must not simply be a one-off or annual affair. It needs to be a constant and consistent flow of information about the most salient risks, caused by both external agents and internal behaviours.
Rather than being an ad hoc item for discussion, cybersecurity should take up a regular segment of executive meetings – including Q-As for business leaders to gain greater clarity if they have trouble understanding their IT counterparts. Some executives – particularly those in operations and legal – may wish to invest even greater time collaborating with cybersecurity teams, from embedding their staff in cybersecurity operations to playing a joint role in assessing risks before presentation to the broader business.
The solution is greater and clearer collaboration between the IT experts who understand the technicalities of cybersecurity threats, and the business decision-makers who have the broader picture and authority to enforce long-term solutions. An organisation divided is easy pickings for cybercriminals: business and IT need to start talking honestly to each other before it's too late.